b"          Federal Housing Finance Agency\n              Office of Inspector General\n\n\n\n\n FHFA Oversight of Freddie Mac\xe2\x80\x99s\nInformation Technology Investments\n\n\n\n\nAudit Report \xef\x82\xb7 AUD-2014-017 \xef\x82\xb7 September 25, 2014\n\x0c                                             September 25, 2014\n\n\nTO:                Nina Nichols, Deputy Director for Enterprise Regulation\n\n\n\nFROM:              Russell A. Rau, Deputy Inspector General for Audits\n\n\nSUBJECT:           FHFA Oversight of Freddie Mac\xe2\x80\x99s Information Technology Investments\n\n\nSummary\n\nFreddie Mac annually makes substantial investments to maintain and improve its information\ntechnology (IT) infrastructure, which is vital to its mission of helping to provide liquidity,\nstability, and affordability in the nation\xe2\x80\x99s housing market. In fact, Freddie Mac maintains an\nIT investment portfolio of over 250 individual projects.1 Large organizations making such\nsubstantial investments in IT should ensure that each investment decision is subjected to careful\nscrutiny to ensure, among other things, that the investment\xe2\x80\x99s risks and returns have been\nevaluated and are understood; it aligns with the organization\xe2\x80\x99s mission; it continues to meet\nmission needs at the expected levels of cost and risk; and its impact on mission performance is\nevaluated. In order to effectively scrutinize their investments, federal and industry organizations\nimplement and enforce IT investment management processes.\n\nAs conservator of Freddie Mac, FHFA is charged with preserving and conserving Freddie Mac\xe2\x80\x99s\nassets and has broad responsibility for managing the Enterprise\xe2\x80\x99s activities to fulfill its mission.2\nFHFA fulfills this obligation in part through the exercise of its delegations of authority to review\nand approve Freddie Mac\xe2\x80\x99s business decisions, and to review key documents, such as Freddie\nMac\xe2\x80\x99s annual operating budget. FHFA requires that Freddie Mac\xe2\x80\x99s systems provide relevant,\naccurate, and timely information that is secure and supported by contingency arrangements.3\nFHFA, under its supervisory and regulatory authorities regarding Freddie Mac, has a continuous\nexamination program that encompasses Freddie Mac\xe2\x80\x99s IT infrastructure. FHFA\xe2\x80\x99s Office of\n\n1\n An IT investment portfolio is the combination of all IT assets, resources, and investments owned or planned by an\norganization in order to achieve its mission and strategic goals and objectives.\n2\n    FHFA was appointed conservator for Freddie Mac in September 2008.\n3\n    12 CFR Part 1236, Appendix\xe2\x80\x94\xe2\x80\x9cPrudential Management and Operational Standards.\xe2\x80\x9d\n\n\n    Federal Housing Finance Agency Office of Inspector General \xe2\x80\xa2 AUD-2014-017 \xe2\x80\xa2 September 25, 2014\n                                                        2\n\x0cInspector General (OIG) conducted this audit to evaluate FHFA\xe2\x80\x99s oversight of Freddie Mac\xe2\x80\x99s IT\ninvestment management processes.\n\nOverall, OIG concluded that FHFA could improve its oversight of IT investments at Freddie\nMac. Meeting Enterprise-wide business and user needs in a cost-effective and risk-based method\ncan be enhanced by: (1) determining through examination whether Freddie Mac has\nimplemented and is enforcing an effective IT investment management process; (2) issuing\nguidance on required objectives and controls in IT investment management processes,\nparticularly at the portfolio level; and (3) and evaluating whether currently utilized Freddie Mac\nreports provide the information necessary to conduct effective supervisory monitoring of Freddie\nMac\xe2\x80\x99s portfolio of IT investments.\n\nAs conservator, FHFA approves Freddie Mac\xe2\x80\x99s annual operating budget but does not specifically\nreview and approve the IT component of the budget, or review and approve individual IT\nprojects unless an investment would constitute a significant change to Freddie Mac\xe2\x80\x99s operations.\nThus, supervisory review of Freddie Mac\xe2\x80\x99s entire IT investment management process is even\nmore important to protect FHFA\xe2\x80\x99s interests as there is no corresponding conservatorship control\nto assess IT investments at the portfolio level. As a result, FHFA has limited assurance that\nFreddie Mac has implemented and enforces effective IT investment management practices and\nprocesses. Accordingly, OIG made recommendations to strengthen FHFA oversight, and the\nAgency generally agreed. Refer to Appendix B for the Agency\xe2\x80\x99s comments and Appendix C for\nOIG\xe2\x80\x99s evaluation of those comments.\n\nBackground\n\nFannie Mae and Freddie Mac are federally chartered to provide stability and liquidity in the\nhome mortgage loan market. On July 30, 2008, the Housing and Economic Recovery Act of\n2008 established FHFA as the Enterprises\xe2\x80\x99 regulator. Among its responsibilities, the Agency\noversees their safety and soundness, supervises their support of housing finance and affordable\nhousing goals, and facilitates a stable and liquid mortgage market. On September 6, 2008, FHFA\nbecame the Enterprises\xe2\x80\x99 conservator to help protect them\xe2\x80\x94and therefore the wider financial\nmarket\xe2\x80\x94from collapse. As conservator, FHFA is charged with preserving and conserving\nEnterprise assets, ensuring their focus on the housing mission, and preparing for the future of the\nhousing market. Through supervision and regulation, FHFA helps to ensure that the Enterprises\nare operating in a safe and sound manner so that they can serve as a reliable source of liquidity\nand funding for housing finance and community investment.\n\nFreddie Mac is making substantial investments in IT in order to better support its operations and\nreduce risk. As reported in its 2013 annual financial statements, Freddie Mac recently completed\na 3-year multimillion dollar project to move key legacy applications and infrastructure to more\ncurrent technology. It is making investments to maintain technology, to standardize its\ntechnology portfolio, and to focus on emerging information security risks.4 These investments\n\n4\n  Federal Home Loan Mortgage Corporation, Form 10-K, Annual Report Pursuant to Section 13 or 15(d) of the\nSecurity Exchange Act of 1934, for the fiscal year ended December 31, 2013,\nhttp://www.freddiemac.com/investors/er/pdf/10k_022714.pdf. Accessed on July 30, 2014.\n\n\n    Federal Housing Finance Agency Office of Inspector General \xe2\x80\xa2 AUD-2014-017 \xe2\x80\xa2 September 25 2014\n                                                      3\n\x0care deemed by FHFA to be critical to Freddie Mac\xe2\x80\x99s safety and soundness. A strong IT\ninvestment management process is critical to an organization such as Freddie Mac that is making\nsuch large IT investments.5 The process should help ensure that decisions on major IT\nexpenditures are required and cost-effective, and that the investments, once funded, are regularly\nmonitored and managed.\n\nResearch suggests that the quality of investment decisions for IT projects can have a dramatic\neffect on an organization. One study published by the Massachusetts Institute of Technology\nfound that investment in IT had a greater impact on an organization\xe2\x80\x99s profitability than\ninvestments in advertising or research and development.6 Another study found that economic and\ncompetitive pressures can compel organizations to cut costs and force them to scrutinize their IT\noperating and capital budgets more carefully, thereby making correct IT investment decisions\neconomic and competitive necessities. Further, failure in IT projects is partly attributable to a\nlack of solid management tools for evaluating, prioritizing, monitoring, and controlling IT\ninvestments.7\n\nFederal agencies are required by the Clinger-Cohen Act to establish IT investment and capital\nplanning processes and performance management.8 Additionally, the Office of Management and\nBudget has issued related directives and guidance. The Government Accountability Office\n(GAO) developed the IT Investment Management Maturity (ITIM) framework around the\nselect/control/evaluate approach described in Clinger-Cohen.9 It provides a systematic method\nfor federal agencies to minimize risk while maximizing the returns of IT investments. ITIM\nidentifies and organizes processes critical for successful IT investment as an organization\xe2\x80\x99s IT\nsystems mature, which offers agencies a way to evaluate and assess how well they are selecting\nand managing their IT resources. GAO framed ITIM in terms of five stages of maturity, as\nshown in Figure 1.\n\n\n\n\n5\n  IT investment is defined as the expenditure of resources on selected information technology or IT-related\ninitiatives. The expectation is that the benefits from the expenditure will exceed the value of the resources expended.\n6\n  Sunil Mithas et al., The Impact of IT Investments on Profits, MIT Sloan Management Review (Spring 2012),\nhttp://sloanreview.mit.edu/article/the-impact-of-it-investments-on-profits/. Accessed July 29, 2014.\n7\n  A. Gunasekaran et al., A Model for Investment Justification in Information Technology Projects, International\nJournal of Information Management, at 349-64, (2001).\nhttp://www.umassd.edu/media/umassdartmouth/businessinnovationresearchcenter/publications/it_justification.pdf.\nAccessed July 28, 2014.\n8\n The Clinger-Cohn Act (also known as the \xe2\x80\x9cInformation Technology Management Reform Act of 1996\xe2\x80\x9d), Pub. L.\n104-106, Division E, codified at 40 U.S.C. Chapter 25.\n9\n GAO, Information Technology Investment Management: A Framework for Assessing and Improving Process\nMaturity, GAO-04-394G (March 1, 2004), http://www.gao.gov/products/GAO-04-394G. Accessed July 29, 2014.\n\n\n    Federal Housing Finance Agency Office of Inspector General \xe2\x80\xa2 AUD-2014-017 \xe2\x80\xa2 September 25 2014\n                                                           4\n\x0c                     FIGURE 1: The Five Stages of Maturity within the ITIM Framework\n\n\n                                   Maturity                                       Description\n                  STAGE 5:                                    The organization has mastered the selection,\n                  Leveraging IT for strategic outcomes.       control, and evaluation processes and now seeks\nEnterprise                                                    to shape its strategic outcomes by benchmarking\n    and                                                       its IT investment processes relative to other \xe2\x80\x9cbest-\n Strategic                                                    in-class\xe2\x80\x9d organizations.\n   Focus\n                  STAGE 4:                                    The organization is focused on evaluation\n                  Improving the investment process.           techniques to improve its IT investment processes\n                                                              and portfolio(s) while maintaining mature\n                                                              selection and control techniques.\n                  STAGE 3:                                    The organization has developed a well-defined IT\n                  Developing a complete investment            investment portfolio, using an investment process\n                  portfolio.                                  that has sound selection criteria and maintains\n                                                              mature, evolving, and integrated selection,\n                                                              control, and evaluation processes.\n                  STAGE 2:                                    Basic selection capabilities are being driven by\n                  Building the investment foundation.         the development of project selection criteria,\n                                                              including benefit and risk criteria, and an\n                                                              awareness of organizational priorities when\n                                                              identifying projects for funding. Executive\n                                                              oversight is applied on a project-by-project basis.\n     Project-     STAGE 1:                                    Ad hoc, unstructured, and unpredictable\n     Centric                                                  investment processes characterize this stage.\n                  Creating investment awareness.\n      Focus                                                   There is generally little relationship between the\n                                                              success or failure of one project and the success or\n                                                              failure of another project.\nSource: GAO, Information Technology Investment Management: A Framework for Assessing and Improving\nProcess Maturity, GAO-04-394G (March 1, 2004).\n\nGAO defines the fundamental phases of the IT investment approach as follows:10\n\n       \xef\x82\xb7   SELECT PHASE \xe2\x80\x93 the organization (1) identifies and analyzes each project\xe2\x80\x99s risks\n           and returns before committing significant funds to any project, and (2) selects those IT\n           projects that will best support its mission needs. This process should be repeated each\n           time funds are allocated to projects, reselecting even ongoing investments as described\n           below.\n\n       \xef\x82\xb7   CONTROL PHASE \xe2\x80\x93 the organization ensures that as projects develop and\n           investment expenditures continue, the project continues to meet mission needs at\n           the expected levels of cost and risk. If the project is not meeting expectations or if\n           problems have arisen, steps are quickly taken to address the deficiencies. If mission\n10\n     Id., at 8-9. Accessed July 30, 2014.\n\n\n     Federal Housing Finance Agency Office of Inspector General \xe2\x80\xa2 AUD-2014-017 \xe2\x80\xa2 September 25 2014\n                                                          5\n\x0c       needs have changed, the organization is able to adjust its objectives for the project and\n       appropriately modify expected project outcomes.\n\n   \xef\x82\xb7   EVALUATE PHASE \xe2\x80\x93 actual versus expected results are compared after a project\n       has been fully implemented. This is done to (1) assess the project\xe2\x80\x99s impact on mission\n       performance, (2) identify any changes or modifications to the project that may be\n       needed, and (3) revise the investment management process based on lessons learned.\n\nThe investment process does not end with the evaluation phase. A project can be active\nconcurrently in more than one phase of the select/control/evaluate model. After a project has\nbeen designated for initial funding in the select phase, it becomes the subject of evaluation\nthroughout the control phase for the purposes of reselection. Reselection is an ongoing process\nthat continues for as long as a project is receiving funding. If a project is not meeting the goals\nand objectives that were originally established when it was selected, or if the goals have been\nmodified to reflect changes in mission objectives\xe2\x80\x94and corrective actions are not succeeding\xe2\x80\x94a\ndecision must be made on whether to continue to fund the project. Ultimately, \xe2\x80\x9cdeselection\xe2\x80\x9d can\nbe one of the most difficult steps to implement, but it is necessary if funds can be better utilized\nelsewhere. Once projects are operating and being maintained, they remain under constant review\nfor reselection.\n\nIn addition to GAO\xe2\x80\x99s ITIM, other IT investment management methodologies are used in the\nindustry as they are considered best practices. Freddie Mac is not legally bound by all the laws\nand federal guidance for managing IT investments that relate to federal entities, and may choose\nto follow commercial IT investment management best practices. Regardless, FHFA, as the\nconservator and regulator of Freddie Mac, is responsible for ensuring that the Enterprises use\nsafe and sound practices to achieve efficiency and minimize losses on its operations. As such,\nFHFA should recognize that IT investment management is a best practice that should be used by\nFreddie Mac, given its current and planned IT expenditures.\n\nFreddie Mac\xe2\x80\x99s IT Budget and Expenditures\n\nFreddie Mac has acknowledged the need to improve its IT systems. For example, in its 2013\nfinancial statements, Freddie Mac stated that its primary business processing and financial\naccounting systems lack sufficient flexibility to handle all the complexities of, and changes in,\nbusiness transactions and related accounting policies and methods. This requires Freddie Mac to\nrely more extensively on spreadsheets and other end-user computing systems that could have a\nhigher risk of operational failure and error. Freddie Mac\xe2\x80\x99s planned IT expenditures over three\nyears are expected to exceed $1 billion. In 2013, Freddie Mac officials stated that its current year\nexpenditures support over 250 projects that align with its corporate strategic plan. Figure 2\nshows the growth of Freddie Mac\xe2\x80\x99s IT budget and expenditures since 2011.\n\n\n\n\n Federal Housing Finance Agency Office of Inspector General \xe2\x80\xa2 AUD-2014-017 \xe2\x80\xa2 September 25 2014\n                                                 6\n\x0c                     FIGURE 2: Freddie Mac IT Expenditures 2011-2014 \xe2\x80\x93 Budget to Actual ($ Millions)\n\n              $600\n                                                                                            533\n              $500                                                             483\n                            452\n                                  422\n $ Millions\n\n\n\n\n              $400                                370   378            372\n\n\n              $300\n\n              $200\n\n              $100\n\n                $0\n                               2011                 2012                  2013                 2014\n\n                                                    IT Budget      IT Actual\n\nSource: Freddie Mac\n\nFreddie Mac\xe2\x80\x99s IT projects result from both internal needs and those mandated by FHFA and\nothers. However, according to FHFA officials, the Agency does not generally review and\napprove individual IT projects. Some of Freddie Mac\xe2\x80\x99s projects have experienced significant\ncost increases. For example, one IT-related project under way is intended to address safety and\nsoundness issues identified in an FHFA examination. In May 2013, Freddie Mac requested\nconservator approval to invest $198 million in this project over approximately five years. FHFA\ndetermined that approval of the IT project was within Freddie Mac\xe2\x80\x99s delegated authority and did\nnot review or render a decision on the project. Within six months of the request to FHFA,\nFreddie Mac recognized the need for a significant scope change that resulted in the need to\nallocate additional funding. This large, near-term scope modification calls into question the\nreasonableness of the initial and remaining cost, schedule, and performance parameters. In\nSeptember 2013, Freddie Mac again requested FHFA approval, this time for the additional\nfunding needed to address the scope change. However, FHFA did not review the project or\nrender a decision. As such, FHFA did not assess the justification for the additional expenditures\nor the risk of future delays and cost increases given that over four years remained to complete the\nproject. Freddie Mac has also reported other instances of cost overruns on IT projects.\n\nGiven the level of delegation to the Enterprise, FHFA should ensure that Freddie Mac utilizes an\neffective process to manage its IT investments and that those investments achieve the best value\nfor the Enterprise in fulfilling its mission. An effective ITIM process adds confidence that a\nproposed investment\xe2\x80\x99s risks and returns have been evaluated using qualitative and quantitative\nmeasures, that controls are in place to ensure that the project continues to meet mission needs at\nthe expected levels of cost and risk, and that adequate funds and resources are available for\nproject success.\n\n\n\n  Federal Housing Finance Agency Office of Inspector General \xe2\x80\xa2 AUD-2014-017 \xe2\x80\xa2 September 25 2014\n                                                              7\n\x0cConservator Review of Freddie Mac\xe2\x80\x99s Budget\n\nIn 2008, FHFA issued instructions11 to Freddie Mac\xe2\x80\x99s Board of Directors and senior\nmanagement detailing operational activities that require conservator approval versus those that\nrequire conservator notification.12 As detailed in its instructions, FHFA approves Freddie Mac\xe2\x80\x99s\nannual operating budget, but Freddie Mac is only required to notify FHFA of any significant\nchanges (i.e., increases) to its annual budget. The Agency typically does not view changes in\nFreddie Mac\xe2\x80\x99s budget as an item that requires Conservator approval; the Agency considers\nbudget changes to be operational in nature and within Freddie Mac\xe2\x80\x99s delegated authority to\napprove. Further, the Agency does not separately approve components of Freddie Mac\xe2\x80\x99s\noperating budget, including IT. Lastly, the Agency would only consider review of budget\nadjustments related to a significant change to Freddie Mac\xe2\x80\x99s operations per its instructions or if\nFreddie Mac requests FHFA\xe2\x80\x99s review.\n\nSeparately, FHFA issues an annual conservatorship scorecard, which outlines specific objectives\nand milestones that Freddie Mac must achieve as part of its operations.13 Within these objectives\nare supporting investments, which may have underlying IT components that are monitored by\nFHFA\xe2\x80\x99s Office of Strategic Initiatives (OSI). On a quarterly basis, OSI assesses Freddie Mac\xe2\x80\x99s\nprogress in achieving the conservatorship scorecard objectives and milestones, which includes\nthe assessment of any IT investments that support scorecard objectives. OSI does not, however,\nassess Freddie Mac\xe2\x80\x99s progress in meeting objectives and milestones for its non-scorecard-related\nprojects. Freddie Mac expended 21% of its IT budget for scorecard-related projects that were\nmonitored by OSI and expended the remaining 79% on IT for non-scorecard-related projects,\nwhich were not specifically monitored at a project level by OSI.14\n\nSupervisory and Regulatory Oversight of Freddie Mac\xe2\x80\x99s IT Investment Management Process\n\nThe Federal Housing Enterprises Financial Safety and Soundness Act of 1992, as amended,\ngrants FHFA supervisory and oversight responsibilities for the Enterprises.15 FHFA is required,\nby statute, to examine Freddie Mac at least annually to ensure its safety and soundness. FHFA\nmay also conduct targeted examinations, ongoing monitoring, or compliance reviews, as part of\n\n11\n    In November 2008, FHFA issued an order to Freddie Mac outlining functions, responsibilities, and authorities of\nits Board of Directors. FHFA also issued a Letter of Instruction to the Board elaborating on the order and providing\ndirection regarding implementation. In November 2012, FHFA issued a document holding its original orders in\nplace, while revising and replacing the November 2008 Letter of Instruction in light of experience and practice\nunder the conservatorship. The revised document provided greater specificity on the respective roles and\nresponsibilities of FHFA, the Board, and management in relation to the conservatorship.\n12\n  For notification, FHFA requires that Freddie Mac timely inform the Agency of any planned changes in its\nbusiness processes or operations.\n13\n  The most current scorecard is contained in FHFA\xe2\x80\x99s 2014 Scorecard for Fannie Mae, Freddie Mac and Common\nSecuritization Solutions (May 2014).\n14\n   According to Freddie Mac officials, the Enterprise conducts periodic meetings with other offices within FHFA\nregarding its overall IT operations, which may at times include discussions about the status of individual IT projects.\n15\n     Public Law No. 102-550.\n\n\n     Federal Housing Finance Agency Office of Inspector General \xe2\x80\xa2 AUD-2014-017 \xe2\x80\xa2 September 25 2014\n                                                          8\n\x0cits supervision and oversight. FHFA\xe2\x80\x99s Division of Enterprise Regulation (DER) is responsible\nfor these supervisory and regulatory duties. In addition, FHFA issues formal guidance to Freddie\nMac in the form of advisory bulletins designed to communicate guidance, including IT, and to\nhelp achieve mission-critical goals and objectives.\n\nFHFA\xe2\x80\x99s examination program uses a risk-based approach to determine which supervisory\nactivities it will employ to assess the Enterprises\xe2\x80\x99 safety and soundness. Beginning in 2010,\nFHFA determined that Freddie Mac\xe2\x80\x99s IT governance infrastructure represented significant risk to\nits operations.16 In fact, in its 2013 Report to Congress (June 13, 2014), FHFA concluded that\nadditional Freddie Mac management attention was required related to operational risk, including\ninformation technology, to reduce the risk profile to acceptable levels. As such, FHFA conducted\nongoing monitoring procedures that identified several weaknesses in Freddie Mac\xe2\x80\x99s IT\ngovernance processes. FHFA considered these weaknesses to be of \xe2\x80\x9ccritical concern,\xe2\x80\x9d which\nprompted two subsequent targeted examinations and a special review in addition to continued\nongoing monitoring.\n\nFinding: Additional Supervisory Review and Guidance is Needed to Determine Whether\n         Freddie Mac Has Implemented a Complete and Effective IT Investment\n         Management Process\n\nFHFA has not determined through examination or other activity whether Freddie Mac has\nimplemented a complete and effective IT investment management process. Further, FHFA has\nnot issued formal requirements or guidance to Freddie Mac on IT investment management.\nFHFA examination efforts and recent guidance focused on project-level controls for IT systems\nand did not address portfolio-level controls, such as aligning IT investment with strategic goals\nand developing an overall IT infrastructure to support current and planned business operations.\nAdditional focus on these areas can help strengthen the management of IT investments.\n\nLack of Comprehensive Assessment of IT Investment Management Process\n\nBetween 2010 and 2013, FHFA conducted two examinations, a supervisory review, and ongoing\nmonitoring that assessed Freddie Mac\xe2\x80\x99s IT governance structure (including Board and committee\nresponsibilities, and executive reporting) and its IT project management processes. According to\nFHFA officials, the Agency focused on Freddie Mac\xe2\x80\x99s IT governance because it presented a\ncritical concern to Freddie Mac\xe2\x80\x99s IT operations.17 Specifically, Freddie Mac\xe2\x80\x99s IT infrastructure\n(policy, procedures, and senior management) was evolving as it went through four\n\n\n\n16\n   IT governance includes the processes that ensure the effective and efficient use of IT in enabling an organization\nto achieve its goals. Organizations need a strong governance model in place to align IT investments with business\nrequirements.. In contrast, ITIM is an integrated process (framework) focused on achieving desired business\noutcomes through the continuous selection, control, and evaluation of IT initiatives. The establishment of an IT\ngovernance structure is one of several processes that make up a successful ITIM framework.\n17\n  In 2010, FHFA examiners found that the governance and control framework for Freddie Mac\xe2\x80\x99s IT infrastructure\nwas inadequate. The existing governance and control framework lacked policy and controls needed to sustain and\noperate an adequate IT environment.\n\n\n     Federal Housing Finance Agency Office of Inspector General \xe2\x80\xa2 AUD-2014-017 \xe2\x80\xa2 September 25 2014\n                                                          9\n\x0creorganizations. As a result, FHFA\xe2\x80\x99s examinations and review understandably focused on\nFreddie Mac\xe2\x80\x99s IT governance issues.\n\nWhile assessing Freddie Mac\xe2\x80\x99s IT governance, FHFA\xe2\x80\x99s examiners also observed that Freddie\nMac was experiencing other increased IT operational risks, such as issues with outdated systems,\ninadequate funding of existing projects, and the cancellation of an IT project after a significant\noutlay of resources over multiple years. From 2010-2012, Freddie Mac spent over $200 million\non a company-wide initiative to enhance its current business processes and address outdated\ninfrastructure issues. However, the project was not completed, and during 2012, portions of the\ninitiative were either cancelled with no benefit to Freddie Mac or broken out into smaller\nprojects. Although FHFA issued three Matters Requiring Attention (MRAs) regarding Freddie\nMac\xe2\x80\x99s IT infrastructure (outdated systems, IT governance and budget allocation) in 2010, FHFA\ndid not adjust its supervisory approach to identify the underlying causes of this project\xe2\x80\x99s failure\n(e.g., what critical processes of ITIM had not been implemented or were ineffective). As noted\nabove, research suggests that IT project failures and increased project costs can be partially\nattributed to a lack of solid management tools for evaluating, prioritizing, monitoring, and\ncontrolling IT investments from a portfolio perspective.\n\nAlthough FHFA did not adjust its examination plan, OIG noted that FHFA\xe2\x80\x99s examinations and\nspecial review assessed some of the critical processes of an effective ITIM framework.18\nAppendix A contains the results of the OIG analysis. However, FHFA\xe2\x80\x99s supervisory strategy\nfrom August 2010 through December 2013 did not include an overall assessment of whether\nFreddie Mac has implemented a complete and effective IT investment management framework.\nWithout assessing the existence and effectiveness of critical ITIM processes, FHFA is unable to\ndetermine the level of maturity of Freddie Mac\xe2\x80\x99s ITIM framework, identify weaknesses or risks\nthat could negatively impact Freddie Mac\xe2\x80\x99s IT budget and operations, or offer recommendations\nfor improvement. As a result, Freddie Mac\xe2\x80\x99s current and future planned IT projects may\nexperience uncertainty regarding requirements, escalating costs, slippages in project schedules,\nand inconsistent project outcomes.\n\nFormal IT Investment Management Guidance Not Issued to Freddie Mac\n\nFHFA has not published formal requirements or guidance specifically governing Enterprise IT\ninvestment management. FHFA is authorized to issue prudential management and operations\nstandards under the Federal Housing Enterprises Financial Safety and Soundness Act, as well as\nprovide direction to the Enterprises through various other authorities.19 Such guidance is\nessential for the Enterprises to use in managing investments in their overall portfolio of IT\nsystems as well as developing and maintaining individual information systems. Additionally, the\nguidance is needed as part of the Agency\xe2\x80\x99s Information Technology Risk Management Program\nalready provided to FHFA examiners to assess those investment programs. For example, the\nFederal Financial Institution Examination Council (FFIEC) has published the Information\n18\n   OIG analyzed FHFA\xe2\x80\x99s two examinations and a special review to determine which, if any, of the critical processes\nof ITIM were covered in the examination/review. OIG used GAO\xe2\x80\x99s ITIM framework as the basis for evaluating\nFHFA\xe2\x80\x99s supervision of Freddie Mac\xe2\x80\x99s IT investment process.\n19\n     12 U.S.C. 4513.\n\n\n     Federal Housing Finance Agency Office of Inspector General \xe2\x80\xa2 AUD-2014-017 \xe2\x80\xa2 September 25 2014\n                                                       10\n\x0cTechnology Examination Handbook to guide examiners in the performance of examinations of\nfinancial institutions in such critical areas as the development and acquisition of new systems.20\nIn one section of the FFIEC guidance concerning planning for IT operations and investment, it\nstates:\n\nFinancial institution boards and management should implement an IT planning process that:\n\n       \xef\x82\xb7   Aligns IT with the corporate-wide strategic plan;\n\n       \xef\x82\xb7   Aligns IT strategically and operationally with business units;\n\n       \xef\x82\xb7   Maintains an IT infrastructure to support current and planned business operations;\n\n       \xef\x82\xb7   Integrates IT spending into the budgeting process and weighs direct and indirect\n           benefits against the total cost of ownership of the technology; and\n\n       \xef\x82\xb7   Ensures the identification and assessment of risk before changes or new investment in\n           technology.\n\nThis guidance addresses the portfolio-level issue that should be considered in the management\nof information technology, such as overall portfolio alignment with strategic objectives. Another\nkey aspect of IT investment management is measuring and monitoring performance. Again,\nFFIEC has laid out examination guidance for outcome-based measurement, establishment of\nperformance benchmarks, and quality control functions in the IT environment. As such, the\nFFIEC guidance captures important responsibilities associated with IT investment management.\nSince FHFA has not issued similar portfolio-level guidance regarding Freddie Mac\xe2\x80\x99s IT\ninvestment portfolio, it is challenged to determine whether Freddie Mac has implemented an\neffective ITIM process.\n\nOther parts of the FFIEC guidance address project-level development. To its credit, in late 2013,\nFHFA issued its FHFA Examination Manual that includes a section entitled \xe2\x80\x9cInformation\nTechnology Risk Management Program.\xe2\x80\x9d The section addresses project-level development\nactivities, stating that the Enterprises must have clearly identified project management\nmethodologies that are commensurate with a project\xe2\x80\x99s characteristics and risks. According to\nFHFA\xe2\x80\x99s guidance, project management methodologies should include:\n\n           1. Management sponsorship and commitment;\n\n           2. Project plans;\n\n           3. Definitions of project requirements and expectations;\n\n20\n   FFIEC is a formal interagency body empowered to prescribe uniform principles, standards, and report forms\nfor the federal examination of financial institutions by the Board of Governors of the Federal Reserve System, the\nFederal Deposit Insurance Corporation, the National Credit Union Administration, the Office of the Comptroller of\nthe Currency, and the Consumer Financial Protection Bureau, and to make recommendations to promote uniformity\nin the supervision of financial institutions.\n\n\n     Federal Housing Finance Agency Office of Inspector General \xe2\x80\xa2 AUD-2014-017 \xe2\x80\xa2 September 25 2014\n                                                        11\n\x0c       4. Project management standards and procedures;\n\n       5. Quality assurance and risk management standards and procedures;\n\n       6. Definitions of project roles and responsibilities;\n\n       7. Approval authorities and procedures;\n\n       8. Involvement by all affected parties;\n\n       9. Project communication techniques; and\n\n       10. Validation of project execution\n\nIn OIG\xe2\x80\x99s opinion, FHFA\xe2\x80\x99s project-level guidance in its Information Technology Risk\nManagement Program could readily be supplemented with portfolio-level guidance on\nEnterprise-wide IT investment management. Such guidance would help ensure FHFA can place\nsome level of reliance on Freddie Mac\xe2\x80\x99s process given the delegations in place.\n\nIncomplete Evaluation of Investment Information Provided by Freddie Mac\n\nAccording to GAO, an organization must be able to acquire pertinent information (e.g., project\nowner, project category, current life cycle phase, costs to date, and anticipated costs) about each\nIT project in its portfolio and store that information in a retrievable format (i.e., a report) to be\nused in future investment decisions. The same information should be useful to FHFA examiners\nin evaluating and monitoring Freddie Mac\xe2\x80\x99s IT investments. FHFA\xe2\x80\x99s examination and ongoing\nmonitoring procedures require that examiners review multiple reports and other artifacts that\nsupport Freddie Mac\xe2\x80\x99s IT budget and projects.\n\nOne of the primary reports used by FHFA examiners to monitor Freddie Mac\xe2\x80\x99s IT operations is\nthe monthly IT Monthly Management Report (MMR). According to Freddie Mac officials, the\nintent and purpose of the IT MMR is not to provide a comprehensive update on all IT projects,\nbut rather an executive rollup view of top programs or projects and their current status. OIG\nfound that the IT MMR does not contain all of the pertinent information recommended by GAO.\nIn fact, the IT MMR provides current-year budget information and project end dates for only 16\nIT projects (budgeted to cost approximately $102 million). For example, the IT MMR did not\nprovide details regarding the Multifamily Pricing and Securitization Platform program, such as\nthe original budget, number of missed milestones, and what actions, if any, were taken by\nFreddie Mac to address issues associated with this program.\n\nAlternatively, the Enterprise Initiatives Report, a newly developed internal Freddie Mac report,\nprovides information on Freddie Mac\xe2\x80\x99s current portfolio of over 250 projects. However, this\nreport, just like the IT MMR, only provides current-year budgeted costs for those projects. Given\nits reliance on Freddie Mac documentation to evaluate the Enterprise\xe2\x80\x99s operations, FHFA should\nassess whether enough information is provided in the IT MMR or other IT project reports (i.e.,\nEnterprise Initiative Report) to conduct its ongoing monitoring activities of Freddie Mac\xe2\x80\x99s IT\ninvestment process and portfolio of IT projects.\n\n\n Federal Housing Finance Agency Office of Inspector General \xe2\x80\xa2 AUD-2014-017 \xe2\x80\xa2 September 25 2014\n                                                  12\n\x0cFHFA confirmed that its examiners had not evaluated the accuracy of information contained in\nthe IT MMR, the methodology by which Freddie Mac selected the IT projects presented in the\nreport. Without accurate, complete, and relevant portfolio and project-level data, FHFA loses\nthe ability to timely identify and question the status of troubled, over-budget, and/or\nunderperforming IT investments. Information contained in the MMR does not allow FHFA to\ndetermine whether Freddie Mac is addressing troubled investments in a timely manner, or\nwhether the troubled investment will continue to provide its initially determined value.\n\nAn effective ITIM process adds confidence that a proposed investment\xe2\x80\x99s risks and returns have\nbeen evaluated using qualitative and quantitative measures, that controls are in place to ensure\nthat the project continues to meet mission needs at the expected levels of cost and risk, and that\nadequate funds and resources are available for its success. FHFA has the responsibility to ensure\nthat Freddie Mac utilizes safe and sound practices, such as ITIM, to manage its IT investments.\n\nRecommendations\n\nOIG recommends that FHFA:\n\n   1. Conduct a comprehensive examination to determine whether Freddie Mac has\n      implemented and enforces an effective information technology investment management\n      process.\n\n   2. Develop and issue Enterprise information technology investment management guidance.\n\n   3. Evaluate whether Freddie Mac reports currently used by FHFA examiners provide the\n      information necessary to conduct effective supervisory monitoring of Freddie Mac\xe2\x80\x99s\n      portfolio of IT investments.\n\nObjective, Scope, and Methodology\n\nThe overall objective of this audit was to assess FHFA\xe2\x80\x99s oversight of Freddie Mac\xe2\x80\x99s IT\ninvestment management process. Specifically, OIG sought to review the extent and effectiveness\nof FHFA\xe2\x80\x99s oversight of Freddie Mac\xe2\x80\x99s ITIM processes.\n\nIn order to accomplish this objective, OIG:\n\n   \xef\x82\xb7   Researched ITIM federal laws and regulations and best practices used in both the\n       federal government and private industry;\n\n   \xef\x82\xb7   Interviewed FHFA officials from the Division of Conservatorship Operations and\n       DER;\n\n   \xef\x82\xb7   Interviewed Freddie Mac Budget and Financial Planning and Enterprise Risk\n       Management Personnel;\n\n   \xef\x82\xb7   Obtained documentation from FHFA staff in DER and the Office of Conservatorship\n       Operations about the Agency\xe2\x80\x99s oversight, supervision and guidance of Freddie Mac\xe2\x80\x99s\n       IT investment;\n\n Federal Housing Finance Agency Office of Inspector General \xe2\x80\xa2 AUD-2014-017 \xe2\x80\xa2 September 25 2014\n                                                13\n\x0c      \xef\x82\xb7   Obtained documentation from Freddie Mac staff in the Budget and Financial Planning\n          Group within the Division of Finance;\n\n      \xef\x82\xb7   Analyzed FHFA supervisory activities regarding IT governance;\n\n      \xef\x82\xb7   Discussed potential fraud issues with FHFA; and\n\n      \xef\x82\xb7   Assessed internal control within FHFA\xe2\x80\x99s oversight process.\n\nOIG did not review and is not expressing an opinion on Freddie Mac\xe2\x80\x99s IT investment\nmanagement processes.\n\nOIG conducted work for this audit from January 2014 through June 2014 at FHFA\xe2\x80\x99s\nheadquarters in Washington, D.C., and Freddie Mac\xe2\x80\x99s corporate offices in McLean, VA. OIG\nconducted its audit in accordance with generally accepted government auditing standards. Those\nstandards require that OIG plan and perform audits to obtain sufficient, appropriate evidence to\nprovide a reasonable basis for the findings and conclusions based on the audit objective. OIG\nbelieves that the evidence obtained provides a reasonable basis for the findings and conclusions\nincluded herein, based on the audit objective. OIG considers its findings to be significant in the\ncontext of the audit objective.\n\nOIG appreciates the cooperation of everyone who contributed to this audit, including officials at\nFHFA and Freddie Mac. This audit was led by Brent Melson, Audit Director, who was assisted\nby Joseph Nelson, Audit Manager, Joi Neal, Senior Auditor, and Andrew Gegor, Senior Auditor.\n\n\n\ncc:       Melvin L. Watt, Director\n          Eric Stein, Chief of Staff\n          Larry Stauffer, Acting Chief Operating Officer\n          Robert Ryan, Special Advisor\n          Mark Kinsey, Chief Financial Officer\n          John Major, Internal Controls and Audit Follow-up Manager\n\nAppendix\n      Appendix A:         OIG\xe2\x80\x99s Analysis of FHFA\xe2\x80\x99s Supervision Activities\n      Appendix B:         FHFA\xe2\x80\x99s Comments\n      Appendix C:         OIG\xe2\x80\x99s Response to FHFA\xe2\x80\x99s Comments\n      Appendix D:         Summary of Management\xe2\x80\x99s Comments on the Recommendations\n\n\n\n\n Federal Housing Finance Agency Office of Inspector General \xe2\x80\xa2 AUD-2014-017 \xe2\x80\xa2 September 25 2014\n                                                 14\n\x0cAppendix A\n\nOIG\xe2\x80\x99s Analysis of FHFA\xe2\x80\x99s Supervision Activities\n\nThe results of OIG\xe2\x80\x99s analysis of FHFA\xe2\x80\x99s supervision are detailed below:\n\n                                       August 2010           July 2011          August 2012          August 2013\n                                         Ongoing              Targeted            Targeted           Supervisory\n     ITIM Critical Processes           Monitoring           Examination         Examination            Review\n IT Strategic Planning21              Not Addressed        Evaluated           Not Addressed        Not Addressed\n Instituting Investment Board/\n                                      Evaluated            Evaluated           Not Addressed        Not Addressed\n Committees\n Establishing Investment\n                                                                               Partially\n Management Standards                 Not Addressed        Not Addressed                            Not Addressed\n                                                                               Evaluated\n (meeting business needs)\n Selection of IT Investment           Not Addressed        Not Addressed       Not Addressed        Not Addressed\n Capturing Investment\n                                                           Partially           Partially            Partially\n Information (Data and                Not Addressed\n                                                           Evaluated           Evaluated            Evaluated\n Reporting)\n                                      Partially            Partially\n Investment Oversight                                                          Evaluated            Evaluated\n                                      Evaluated            Evaluated\n Defining the Investment\n                                      Not Addressed        Not Addressed       Not Addressed        Not Addressed\n Portfolio\n Creating the Investment\n                                      Not Addressed        Not Addressed       Not Addressed        Not Addressed\n Portfolio\n Evaluating the Investment                                                                          Partially\n                                      Not Addressed        Not Addressed       Not Addressed\n Portfolio                                                                                          Evaluated\n Conducting Post-\n Implementation (Quality              Not Addressed        Not Addressed       Not Addressed        Not Addressed\n Assurance Reviews)\n\n\nOIG used GAO\xe2\x80\x99s ITIM Framework as the basis for evaluating FHFA\xe2\x80\x99s supervision of Freddie\nMac\xe2\x80\x99s IT investment processes. OIG determined that Freddie Mac\xe2\x80\x99s IT investment processes\nmirror Stage 2, \xe2\x80\x9cBuilding the Investment Foundation,\xe2\x80\x9d and Stage 3, \xe2\x80\x9cDeveloping a Complete\nInvestment Portfolio.\xe2\x80\x9d OIG recognizes that in addition to Stages 2 and 3, Freddie Mac may\nbe implementing additional critical processes associated with higher maturity stages in GAO\xe2\x80\x99s\nframework.\n\n\n\n21\n   GAO\xe2\x80\x99s ITIM Framework does not evaluate an organization\xe2\x80\x99s strategic planning process. However, OIG,\nrecognizing the importance of strategic planning in determining the selection of IT projects, used it as a critical\nprocess in reviewing FHFA\xe2\x80\x99s examination activities.\n\n\n     Federal Housing Finance Agency Office of Inspector General \xe2\x80\xa2 AUD-2014-017 \xe2\x80\xa2 September 25 2014\n                                                           15\n\x0cAppendix B\n\nFHFA\xe2\x80\x99s Comments\n\n\n\n\n Federal Housing Finance Agency Office of Inspector General \xe2\x80\xa2 AUD-2014-017 \xe2\x80\xa2 September 25 2014\n                                              16\n\x0cFederal Housing Finance Agency Office of Inspector General \xe2\x80\xa2 AUD-2014-017 \xe2\x80\xa2 September 25 2014\n                                             17\n\x0cAppendix C\n\nOIG\xe2\x80\x99s Response to FHFA\xe2\x80\x99s Comments\n\nOn September 12, 2014, FHFA provided comments to a draft of this report, mostly agreeing with\nOIG\xe2\x80\x99s recommendations and identifying specific actions to address them. FHFA partially agreed\nwith recommendation 1 and agreed with recommendations 2 and 3.\n\nFHFA partially agreed with Recommendation 1 and will include a review of Freddie Mac's IT\ninvestment management process in its 2015 examination activities. FHFA stated that the timing\nand nature of examination work to be performed by its examiners over Freddie Mac\xe2\x80\x99s IT\ninvestment process will be determined by its risk-based annual supervision planning process.\nOIG considers FHFA\xe2\x80\x99s response to recommendation 1 to be sufficient to resolve the\nrecommendation. However, the recommendation will remain open until OIG reviews both the\n2015 examination planning documentation and related supervision activities executed over\nFreddie Mac\xe2\x80\x99s IT investment management process.\n\nFHFA agreed with Recommendation 2 and will issue an advisory bulletin by September 30,\n2015, that communicates the supervisory expectation regarding information technology\ninvestment management at both Enterprises.\n\nFHFA also agreed with Recommendation 3. By September 30, 2015, FHFA will evaluate the\nreports, data, and other information provided by Freddie Mac and the use of these items by\nFHFA examiners in assessing Freddie Mac\xe2\x80\x99s management of its information technology\nresources and its ability to meet business needs.\n\nOIG considers the planned actions sufficient to resolve these recommendations, which will\nremain open until OIG determines that the agreed upon corrective actions are completed. OIG\nconsidered the Agency\xe2\x80\x99s full response (attached as Appendix B) along with technical comments\nin finalizing this report. Appendix D provides a summary of management\xe2\x80\x99s comments on the\nrecommendations and the status of agreed-upon corrective actions.\n\n\n\n\n Federal Housing Finance Agency Office of Inspector General \xe2\x80\xa2 AUD-2014-017 \xe2\x80\xa2 September 25 2014\n                                              18\n\x0cAppendix D\n\nSummary of Management\xe2\x80\x99s Comments on the Recommendations\n\nThis table presents management\xe2\x80\x99s response to the recommendations in OIG\xe2\x80\x99s report and the\nstatus of the recommendations as of when the report was issued.\n\n                                                 Expected        Monetary\nRec.        Corrective Action: Taken or         Completion        Benefits      Resolved:         Open or\nNo.                  Planned                       Date         ($ Millions)    Yes or No a       Closed b\n1.       FHFA will include a review of          1/15/2015       $0              Yes             Open\n         Freddie Mac\xe2\x80\x99s IT investment\n         management process in its 2015\n         examination activities.\n2.       FHFA will issue an Advisory            9/30/2015       $0              Yes             Open\n         Bulletin that articulates\n         supervisory expectations for\n         information technology\n         investment management by the\n         Enterprises.\n3.       FHFA will review the reports,          9/30/2015       $0              Yes             Open\n         data, and information provided\n         to FHFA examiners by Freddie\n         Mac and the use of these\n         reports by examiners in\n         assessing how effectively\n         Freddie Mac manages its\n         information technology\n         resources and meets Enterprise-\n         wide information needs.\nTotal                                                           $0\n\na\n Resolved means: (1) Management concurs with the recommendation, and the planned, ongoing, and completed\ncorrective action is consistent with the recommendation; (2) Management does not concur with the recommendation,\nbut alternative action meets the intent of the recommendation; or (3) Management agrees to the OIG monetary\nbenefits, a different amount, or no amount ($0). Monetary benefits are considered resolved as long as management\nprovides an amount.\nb\n  Once OIG determines that the agreed-upon corrective actions have been completed and are responsive, the\nrecommendations can be closed.\n\n\n\n\n    Federal Housing Finance Agency Office of Inspector General \xe2\x80\xa2 AUD-2014-017 \xe2\x80\xa2 September 25 2014\n                                                       19\n\x0cAdditional Information and Copies\n\nFor additional copies of this report:\n\n   \xef\x82\xb7   Call: 202-730-0880\n\n   \xef\x82\xb7   Fax: 202-318-0239\n\n   \xef\x82\xb7   Visit: www.fhfaoig.gov\n\n\n\nTo report potential fraud, waste, abuse, mismanagement, or any other kind of criminal or\nnoncriminal misconduct relative to FHFA\xe2\x80\x99s programs or operations:\n\n   \xef\x82\xb7   Call: 1-800-793-7724\n\n   \xef\x82\xb7   Fax: 202-318-0358\n\n   \xef\x82\xb7   Visit: www.fhfaoig.gov/ReportFraud\n\n   \xef\x82\xb7   Write:\n\n                FHFA Office of Inspector General\n                Attn: Office of Investigation \xe2\x80\x93 Hotline\n                400 Seventh Street, S.W.\n                Washington, DC 20024\n\n\n\n\n Federal Housing Finance Agency Office of Inspector General \xe2\x80\xa2 AUD-2014-017 \xe2\x80\xa2 September 25 2014\n                                                20\n\x0c"